Every time you load a commercial webpage, a silent auction happens. Your approximate location, the page you’re viewing, your device model, and a persistent advertising identifier get broadcast to hundreds — sometimes thousands — of bidders in the few hundred milliseconds before the ad renders. The Irish Council for Civil Liberties has tracked this number for years: real-time bidding exposes an average U.S. internet user’s activity 747 times per day, or roughly 178 trillion broadcasts annually across the U.S. and Europe combined. Google alone routes RTB data to more than 4,600 companies for U.S. users. None of those recipients sign any meaningful contract with you.
That’s one surveillance system, operating legally, visible to nobody using the web normally. It sits alongside at least four others — browser fingerprinting, smart-device telemetry, ISP-level metadata collection, and government signals intelligence — each with its own technical basis, its own economics, and its own regulatory posture. What follows is a map of the whole terrain, including what’s shifted in the last eighteen months as enforcement finally caught up with a few of these practices.
The Tracking That Happens Inside Your Browser
Cookies used to carry the whole tracking economy. They don’t anymore, because the browsers fought back: Safari’s Intelligent Tracking Prevention, Firefox’s Total Cookie Protection, and Chrome’s staggered third-party cookie restrictions broke the classic pixel-and-cookie pipeline. What replaced it is worse for users and harder to block.
Browser fingerprinting identifies a device by composing dozens of passive and active signals — User-Agent string, installed fonts, screen resolution, time zone, WebGL renderer string from the GPU, AudioContext output, canvas rendering artifacts, battery level — into a signature that persists across cleared cookies, incognito sessions, and often browser reinstalls. The EFF’s Cover Your Tracks project has found that roughly 83% of browsers present a unique fingerprint on first encounter. Canvas fingerprinting, first documented by Mowery and Shacham in 2012, exploits the fact that identical HTML5 canvas drawing instructions render with microscopic pixel-level differences depending on GPU, driver, and OS font rasterization. Those differences are stable enough to serve as an identifier across sessions.
The defense has not kept up. Apple’s Advanced Fingerprinting Protection in WebKit blurs sensor values at the engine level; Chrome began testing a “Block fingerprinting tracking scripts in Incognito mode” flag in Canary builds in early 2026. Neither ships as a default on mainstream Chrome for regular browsing, and fingerprinting scripts remain trivially deployed — a few dozen lines of JavaScript, no server-side cooperation needed from the site operator.
Then there are tracking pixels — 1×1 transparent images or JavaScript snippets that fire HTTP requests to third-party servers when a page loads. The Meta Pixel is the dominant example and has become the most-litigated piece of web code in U.S. history. After Javier v. Assurance IQ (9th Cir. 2022) confirmed that session-replay and pixel tracking fall under the California Invasion of Privacy Act (CIPA), nearly fifty class actions followed in the first year alone, and the wave hasn’t slowed. Healthcare providers have paid out at a staggering pace: Advocate Aurora Health settled for $12.25 million, Mass General Brigham for $18.4 million, Aspen Dental Management for roughly $18.5 million in 2025, and MarinHealth for $3 million. The aggregate across tracked cases from 2023 through mid-2025 exceeds $100 million. In re Meta Pixel Healthcare Litigation is still active in the Northern District of California; in May 2025, Magistrate Judge Virginia K. DeMarchi ordered Mark Zuckerberg himself to sit for a limited deposition.
How the Ad-Tech Pipeline Actually Broadcasts Your Data
The pixel is only the frontend. The backend is real-time bidding (RTB), an industry-standard auction protocol defined by the Interactive Advertising Bureau’s OpenRTB specification. Each bid request carries a payload: a mobile advertising ID or hashed cookie, IP address, coarse or precise geolocation, user-agent, the URL or app context being viewed, IAB content taxonomy codes, and often inferred audience segments. That payload is broadcast simultaneously to hundreds of demand-side platforms per auction. An IAB TechLab document titled pubvendors.json concedes that once broadcast, there are “no technical measures” to control what recipients do with the data.
The ICCL has characterized RTB as “the biggest data breach ever recorded.” Regulators were slow to agree, but enforcement has finally arrived. On January 14, 2025, the Federal Trade Commission finalized consent orders against data brokers Gravy Analytics and Mobilewalla — the first federal action targeting RTB specifically. The Mobilewalla complaint alleged the company bid in RTB auctions and retained the bid-request data whether or not it won, effectively using the auction protocol itself as a data-harvesting mechanism. The orders ban the sale of sensitive-location data, require deletion of historic precise geolocation, and mandate a supplier-consent assessment program.
The downstream story is worse. ICCL’s 2024 investigation documented that RTB payloads had become raw material for private surveillance vendors. A company called Near Intelligence used RTB ingestion to profile 152 million European internet users with home addresses, workplaces, and frequent locations. An Israeli firm, ISA, marketed a product called Patternz that draws real-time location, historical activity, and family-member inference from the same RTB feeds that exist to sell ads. The boundary between “ad targeting” and “commercial surveillance” has effectively collapsed.
The TV That Watches You Back
Smart TVs deploy Automated Content Recognition (ACR), a fingerprinting technology conceptually similar to Shazam: the device samples short audio or video clips of whatever is on screen, hashes them, and sends the hashes to a server that matches them against a reference library. A 2024 study by Vekaria, Anselmi, and colleagues, published at the ACM Internet Measurement Conference, black-box audited ACR traffic from Samsung and LG sets in the U.S. and U.K. Their findings were stark: ACR runs even when the TV is used as a passive external display for a game console, laptop, or third-party streaming stick; opt-outs vary in effectiveness between regions and manufacturers; and GDPR subject-access requests to Samsung and LG returned data volumes that did not correspond to what the researchers had actually captured on the wire.
The FTC’s 2017 Vizio settlement ($2.2 million, jointly with the New Jersey AG) remains the foundational U.S. case: Vizio had enabled ACR by default on 11 million televisions and remotely pushed the tracking capability onto older sets that lacked it at purchase. Enforcement went dormant for most of a decade and restarted in late 2024 when Texas Attorney General Ken Paxton filed lawsuits against Samsung, Sony, LG, TCL, and Hisense under state consumer-protection statutes, this time framing ACR partly as a national-security concern over where the data flows. Those cases remain active.
ACR is not the only vector inside your home. Smart speakers ship wake-word models that false-trigger; connected doorbells negotiate law-enforcement data-sharing relationships; voice assistants retain transcripts by default in many configurations. The common thread is that the device is subsidized by its data economy, not by its hardware margin — the same logic Vizio demonstrated when its platform revenue surpassed its TV sales revenue by a factor of two in 2021.
| Layer | Primary Collector | Mechanism | Defense Strength |
|---|---|---|---|
| Page content | Ad networks, analytics vendors | Pixels, SDKs, tag managers | MODERATE — blockers work |
| Browser identity | Anti-fraud firms, ad networks | Canvas, WebGL, font, audio fingerprinting | WEAK — Tor-level required |
| Ad auctions | RTB exchanges, data brokers | OpenRTB bid-request broadcast | NONE — user can’t opt out |
| Smart devices | TV, speaker, appliance OEMs | ACR, wake-word, telemetry | WEAK — disconnect or block |
| Network | ISP, mobile carrier | DNS, SNI, IP metadata | MODERATE — DoH, VPN, ECH |
| Signals intel | NSA, FBI via 702 directives | PRISM downstream, upstream taps | NONE for targets |
What Your ISP and the Government See
Below the application layer, your Internet service provider sees every unencrypted DNS lookup, every TLS Server Name Indication (SNI) field that leaks the destination hostname in the clear during handshake, every IP address you contact, and every packet’s timing and size. Encrypted DNS (DNS-over-HTTPS, DNS-over-TLS) and Encrypted Client Hello (ECH) close some of those gaps, but adoption is uneven — ECH in particular depends on the destination server supporting it. The ISP retains this metadata long enough to satisfy subpoenas and, in the U.S., may monetize non-content browsing data under the federal law that rolled back the FCC’s 2016 broadband privacy rules.
The government layer sits above that. Section 702 of the Foreign Intelligence Surveillance Act authorizes the NSA to compel U.S. electronic communication service providers — named ones include Google, Microsoft, Apple, and Meta — to turn over content matching specified selectors such as email addresses or phone numbers. The program known publicly as PRISM (SIGAD US-984XN) is the downstream collection mechanism; upstream collection taps internet backbone traffic at gateway level. The 2023 PCLOB report noted that Section 702 acquires more than 250 million internet communications annually. The Reforming Intelligence and Securing America Act (RISAA) reauthorized 702 in April 2024, and as of mid-April 2026 the EFF reports that a bipartisan group of lawmakers has pushed through a temporary extension while fighting to require probable-cause warrants for FBI queries of 702-collected U.S.-person data — the long-running “backdoor search” controversy.
The practical reality for most U.S. residents: if you are not a Section 702 target, incidental collection can still sweep up your communications with a foreign person, and FBI analysts can query that store using U.S.-person identifiers. How often this happens at the level of individual cases is not public, though annual FISC reports provide aggregate numbers.
The Data Broker Layer That Sells It All Back
All of the above feeds a secondary market. Data brokers aggregate signals from RTB exchanges, app SDKs, credit-reporting data, public records, and loyalty programs into packaged profiles sold to advertisers, insurers, hedge funds, political campaigns, and — until recently with fewer restrictions — foreign governments. The industry’s scale is difficult to measure because much of it operates without any direct consumer relationship.
Enforcement in 2025 and 2026 has focused sharply on the location-data subset of the broker market. In addition to the Gravy and Mobilewalla orders, California’s Delete Act (SB 362) went fully operational on January 1, 2026, when the California Privacy Protection Agency launched the Delete Request and Opt-Out Platform (DROP). DROP gives California residents a single request that propagates to every registered broker; starting August 1, 2026, brokers must process these requests every 45 days or face fines of $200 per day. In November 2024, CalPrivacy’s enforcement division settled with Growbots ($35,400) and UpLead ($34,400) for failure to register — a small number that signals how the agency intends to ratchet up. The Protecting Americans’ Data From Foreign Adversaries Act (PADFAA) of 2024 added federal teeth: on February 9, 2026, the FTC issued a formal reminder that violations could carry civil penalties of up to $53,088 each. Analysts at Perkins Coie expect the FTC’s first PADFAA enforcement action at some point during 2026.
What these regimes do not touch is the inference layer. Psychographic models built on “digital exhaust” — likes, clicks, dwell time, abandoned carts — can predict personality traits and political affiliations at roughly 70% accuracy without ever reading a bank record or a medical chart. Cambridge Analytica’s innovation was never the data access; it was the model on top. That model infrastructure remains intact at the major platforms and is not subject to the opt-out plumbing California just shipped.
Frequently Asked Questions
Does a VPN actually stop most of this? A VPN defeats your ISP’s view of destinations and your workplace or café network’s view of traffic. It does nothing against browser fingerprinting, pixel tracking, RTB, smart-TV ACR, or Section 702 — those operate at layers the VPN cannot touch. Treat it as a partial measure.
If I clear cookies and use incognito mode, am I anonymous? No. Canvas, WebGL, and audio fingerprinting produce a stable identifier that persists through cookie clears and incognito sessions. The EFF figure of 83% unique fingerprints assumes an ordinary, non-hardened browser.
Does opting out of ACR on my smart TV stop tracking? Partially. The Vekaria et al. study found that opt-outs reduce but do not fully eliminate ACR traffic on Samsung and LG. Disconnecting the TV from the network is the only fully effective measure, at the cost of losing smart features.
Can the California DROP delete my data from brokers outside the U.S.? Not directly. DROP reaches brokers registered in California. Foreign brokers and U.S. brokers that dodge registration are the CalPrivacy enforcement division’s stated next targets, but the mechanism is jurisdictional, not technical.
A Practical Stance for 2026
The defensive asymmetry is real. A single regular user cannot meaningfully defeat fingerprinting, RTB broadcast, or signals intelligence through personal configuration choices. What individuals can do is constrain the layers that are constrainable: encrypted DNS and ECH at the network layer, a hardened browser (Brave, Firefox with resistFingerprinting, or Tor for high-risk sessions) at the application layer, disconnecting or network-isolating smart devices at the home layer, and filing DROP requests at the data-broker layer. That stack closes maybe 40% of exposure.
The other 60% is structural and only regulators can fix it. The useful development over the last eighteen months is that U.S. enforcement has shifted from rhetorical concern to specific orders with specific dollar amounts. Whether that shift deepens or stalls depends largely on whether the FTC files the PADFAA action it has been hinting at, whether California’s DROP platform survives its first compliance cycle, and whether the probable-cause warrant requirement for Section 702 FBI queries makes it through the current extension fight. Watch those three files.
